[strongSwan] Net-to-Net wrong source IP of VPN server.

Lukas Hejmal lukas at hejmal.eu
Mon May 2 13:01:38 CEST 2016 

Hello Tobias,

I'm very sorry for previous wrong output. It was caused by fact I had 
wrong config loaded(where I was trying various things in order to fix my 
problem). Now I restarted ipsec on both VPN boxes and I have:

#  ip route list table 220
192.168.1.0/24 via 1.2.3.1 dev eth0.2  proto static  src 192.168.2.1

But when I do ping to host that is obviously running and has firewall 
with any/any allow:
# ping 192.168.1.54
PING 192.168.1.54 (192.168.1.54): 56 data bytes
^C
--- 192.168.1.54 ping statistics ---
7 packets transmitted, 0 packets received, 100% packet loss
#

when I run tcpdump on same system I can see:

# tcpdump -i any -n icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 
bytes
12:47:09.671920 IP 1.2.3.4 > 192.168.1.54: ICMP echo request, id 8565, 
seq 0, length 64
12:47:10.672438 IP 1.2.3.4 > 192.168.1.54: ICMP echo request, id 8565, 
seq 1, length 64
12:47:11.672876 IP 1.2.3.4 > 192.168.1.54: ICMP echo request, id 8565, 
seq 2, length 64
12:47:12.673316 IP 1.2.3.4 > 192.168.1.54: ICMP echo request, id 8565, 
seq 3, length 64
12:47:13.673749 IP 1.2.3.4 > 192.168.1.54: ICMP echo request, id 8565, 
seq 4, length 64
12:47:14.674188 IP 1.2.3.4 > 192.168.1.54: ICMP echo request, id 8565, 
seq 5, length 64
12:47:15.674639 IP 1.2.3.4 > 192.168.1.54: ICMP echo request, id 8565, 
seq 6, length 64
^C
7 packets captured
7 packets received by filter
0 packets dropped by kernel
#

If I understand it correct, I should see there "192.168.2.1 > 
192.168.1.54"  instead of "1.2.3.4 > 192.168.1.54" .

Also if I run tcpdump on other VPN server, I get no ping at all.

Here is log with knl set to 2. This is what I got when connection was 
established:

13[KNL] got SPI c9cc5971
13[KNL] adding SAD entry with SPI c9cc5971 and reqid {1}  (mark 
0/0x00000000)
13[KNL]   using encryption algorithm AES_CBC with key size 128
13[KNL]   using integrity algorithm HMAC_SHA1_96 with key size 160
13[KNL]   using replay window of 32 packets
13[KNL] adding SAD entry with SPI cec8aa6b and reqid {1}  (mark 
0/0x00000000)
13[KNL]   using encryption algorithm AES_CBC with key size 128
13[KNL]   using integrity algorithm HMAC_SHA1_96 with key size 160
13[KNL]   using replay window of 32 packets
13[KNL] adding policy 192.168.2.0/24 === 192.168.1.0/24 out  (mark 
0/0x00000000)
13[KNL] adding policy 192.168.1.0/24 === 192.168.2.0/24 in  (mark 
0/0x00000000)
13[KNL] adding policy 192.168.1.0/24 === 192.168.2.0/24 fwd  (mark 
0/0x00000000)
13[KNL] getting a local address in traffic selector 192.168.2.0/24
13[KNL] using host 192.168.2.1
13[KNL] using 1.2.3.1 as nexthop to reach 4.3.2.1/32
13[KNL] 1.2.3.4 is on interface eth0.2
13[KNL] installing route: 192.168.1.0/24 via 1.2.3.1 src 192.168.2.1 dev 
eth0.2
13[KNL] getting iface index for eth0.2
13[KNL] policy 192.168.2.0/24 === 192.168.1.0/24 out  (mark 
0/0x00000000) already exists, increasing refcount
13[KNL] updating policy 192.168.2.0/24 === 192.168.1.0/24 out  (mark 
0/0x00000000)
13[KNL] policy 192.168.1.0/24 === 192.168.2.0/24 in  (mark 0/0x00000000) 
already exists, increasing refcount
13[KNL] updating policy 192.168.1.0/24 === 192.168.2.0/24 in  (mark 
0/0x00000000)
13[KNL] policy 192.168.1.0/24 === 192.168.2.0/24 fwd  (mark 
0/0x00000000) already exists, increasing refcount
13[KNL] updating policy 192.168.1.0/24 === 192.168.2.0/24 fwd  (mark 
0/0x00000000)
13[KNL] getting a local address in traffic selector 192.168.2.0/24
13[KNL] using host 192.168.2.1
13[KNL] using 1.2.3.1 as nexthop to reach 4.3.2.1/32
13[KNL] 1.2.3.4 is on interface eth0.2
13[IKE] CHILD_SA tva-to-vino{1} established with SPIs c9cc5971_i 
cec8aa6b_o and TS 192.168.2.0/24 === 192.168.1.0/24
13[KNL] 1.2.3.4 is on interface eth0.2
13[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH SA TSi TSr 
N(AUTH_LFT) ]


On 5/2/2016 11:20, Tobias Brunner wrote:
> Hi Lukas,
>
>> # ip route list table 220
>> 192.168.1.0/24 via 1.2.3.1 dev eth0.2  proto static  src 1.2.3.4
>> #
>>
>> where 1.2.3.4 is locally attached, publicly reachable IP address and
>> 1.2.3.1 is default gw for this public IP address.
> Looks strange.  The source address should be part of the local traffic
> selector (192.168.2.0/24), which 1.2.3.4 is probably not.  Please
> increase the log level for the knl subsystem to see what's going on
> during the route/policy installation [1].
>
> Regards,
> Tobias
>
> [1] https://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration
>
>

More information about the Users mailing list